[Android app] Privacy Concern: Excessive Tracking (New Relic) and GDPR Compliance
under review
J
Julien
Dear You.com team,
I am reaching out to express my deep concerns about the privacy practices I’ve encountered while using your platform. As a paying customer, I appreciate the value your service provides, but the current data collection practices (particularly involving 'New Relic' tracking) leave me feeling coerced into sacrificing my privacy—a situation that is neither acceptable nor compliant with best practices or GDPR principles.
I will try to develop my main concerns:
- Excessive Data Collection (New Relic)
Using DuckDuckGo browser on a Google Pixel 7 Pro with CalyxOS, I detected thousands of tracking attempts from New Relic in a single session. This tracker collected extensive details, including:
- Unique device identifiers(persistent tracking enabled)
- Device model and brand
- Network operator details
- OS version, screen resolution, and connection type
- Geolocation (country)and device language
- App version and specific metrics
Such an aggressive level of tracking raises serious concerns about: Data minimization and purpose limitation** (GDPR Art. 5(1)(b) & (c)), User profiling risks through unique identifiers, and transparency: Users are not clearly informed about this level of data collection or its specific purposes (maybe this is written somewhere but i didn't found that information)
- Coerced Consent for Paying Users
As a paying customer, I feel forced to accept invasive tracking practices. While I understand that some data collection may be necessary for service functionality, the lack of transparency and opt-out mechanisms leaves me no real choice. This situation violates the spirit of GDPR’s consent requirements, which state that consent must be freely given, informed, and unambiguous (Art. 7).
- GDPR Compliance and Technical Implementation.
I question whether the current implementation with New Relic respects GDPR principles, particularly:
Transparency (Art. 5(1)(a)): Users are not adequately informed about the extent of tracking or the third-party tools used, Data minimization (Art. 5(1)(c)): The volume of data collected appears disproportionate to the functional needs of the service, and purpose limitation (Art. 5(1)(b)): It is unclear how this data is used or why such granular tracking is necessary.
Additionally, alternative privacy-preserving monitoring tools exist, which could reduce reliance on third-party trackers like New Relic and to address these concerns and rebuild trust with your users, I strongly recommend the following actions:
- Privacy-First Options for Paying Users: Granular Data Control (Allow Pro users to opt out of non-essential trackers (e.g., New Relic) without compromising access to the service) and Privacy Mode ( Implement a dedicated privacy-first mode with no third-party tracking).
- Alternatives to New Relic
You could evaluate privacy-friendly server-side monitoring tools that do not rely on invasive client-side tracking and limit client-side data collection to essential metrics directly related to functionality or performance.
- Transparency & Trust Building by transparency Reports: Publish regular reports detailing the purpose and scope of data collection, including third-party tools like New Relic, implement a privacy Dashboard (a user-facing dashboard where customers can view and manage what data is being collected) and eventually independent Audits (commit to regular third-party audits of your data collection practices to ensure compliance with GDPR and user privacy expectations).
As a loyal, paying subscriber, I value the service you provide and want to continue using it. However, the current data collection practices force me into a position where I must compromise my privacy to access the service I’ve paid for. This undermines trust and creates a negative experience for customers like me who prioritize privacy.
By adopting the solutions outlined above, You.com has the opportunity to differentiate itself as a privacy-first search engine and assistant who build stronger trust with its user base by ensuring compliance with GDPR regulations (and then avoid potential legal risks).
I can't imagine that you.com won't take these concerns seriously with prior to privacy and trust of users.
J
Joel Midden
under review
J
Julien
ADDENDUM
Critical Privacy Concerns: AppsFlyer and Sentry Trackers Detected via Exodus Privacy
As a follow-up to my previous message, I would like to share additional findings that further highlight my privacy concerns regarding the tracking practices in your app. Using
Exodus Privacy
, I potentially identified the presence of AppsFlyer
and Sentry
, both of which raise significant issues regarding transparency, data usage, and GDPR compliance. ---
###
1. AppsFlyer: A Major Privacy Concern
- Data Collected: AppsFlyer collects extensive user data, including:
- Unique device identifiers (e.g., Google Advertising ID, IP address).
- Device information (model, OS version, screen resolution).
- User behavior (in-app events, app interactions).
- Potentially geolocation data.
- Privacy Risks:
- The data collected enables detailed profiling of users, which can be used for targeted advertising without explicit user consent.
- AppsFlyer is particularly problematic because it focuses on marketing rather than core app functionality.
Transparency Issues
: It seems that there is no mention of AppsFlyer in your Privacy Policy or app documentation, leaving users unaware of its presence or role. This lack of disclosure violates GDPR principles of
transparency
(Art. 5(1)(a)) and informed consent
(Art. 7). ###
2. Sentry: Crash Reporting SDK
Concerns with Sentry’s Integration
: - Data Collected: Sentry collects diagnostic data related to app crashes, but it is unclear:
- Whether this data includes personally identifiable information (PII) or sensitive user details.
- How long the data is retained and whether it is anonymized.
- Transparency Issues: Similar to AppsFlyer, there is no documentation explaining Sentry’s role, what data it collects, and how it is processed.
GDPR Implications
: The integration of Sentry without clear user notification or an opt-out mechanism raises questions about compliance with GDPR principles of
data minimization
(Art. 5(1)(c)) and purpose limitation
(Art. 5(1)(b)).J
Julien
###
3. Broader Transparency Concerns
The presence of AppsFlyer and Sentry, combined with
New Relic
(detected via DuckDuckGo), highlights a broader issue: users are left in the dark about the trackers integrated into your application. As a paying Pro subscriber, I should not have to rely on third-party tools like Exodus Privacy and DuckDuckGo to uncover what data is being collected and by whom. This lack of transparency erodes trust and creates a negative experience for privacy-conscious users.
###
Requests for Action
- Full Disclosure of Trackers:
Publish a comprehensive list of all third-party trackers integrated into your app (including AppsFlyer, Sentry, and New Relic).
- Transparency Updates:
- Update your Privacy Policy and app settings to include detailed information about these trackers, why each tracker is necessary and how it aligns with GDPR principles.
- Privacy Dashboard:
Introduce a user-facing
privacy dashboard